This computer scientist tracks down expensive bugs in cryptocurrency code

In the spring of 2022, before some of the more volatile events that would hit the crypto world last year, an NFT artist named Micah Johnson held another auction of his drawings. Micah Johnson is known in crypto circles for images featuring his character Aku. The latter is a young black boy who dreams of becoming an astronaut. Collectors strive to participate in this new edition. On the day of the auction, in total, they spent $34 million to acquire these NFTs.

Then tragedy struck. The “smart contract” code written by Micah Johnson’s software team to run the cryptocurrency auction contains a critical bug. All $34 million in artist sales are locked on the Ethereum blockchain. Consequences: Micah Johnson cannot withdraw the funds. He also cannot refund people who bid on one of his NFTs without their bid winning. Virtual currency is frozen, untouchable, “locked in chains” as they say.

>> Discover 21 million, Capital’s cryptocurrency newsletter. Every week a complete file to understand everything about the crypto revolution and price analyzes to support you in your investments. Right now, with promo code CAPITAL30J, take advantage of a free trial month.

Micah Johnson might regret not accepting Ronghui Gu. The latter is the co-founder of CertiK, the largest smart contract verifier in the glittering and unpredictable universe of cryptocurrencies and Web3. A friendly and talkative computer science professor at Columbia University, Ronghui Gu leads a team of more than 250 people who review cryptocurrency code to make sure it’s not riddled with bugs.

READ ALSO

After the FTX affair, what future for cryptocurrency in 2023?

Crypto-code is harsher than traditional software

CertiK’s work will not prevent you from losing your money when a cryptocurrency crashes. The company also won’t prevent a cryptocurrency exchange from misusing your funds. But CertiK can help prevent a software glitch from causing irreparable damage. Among its clients, the company counts some of the biggest players in cryptocurrency such as Bored Ape Yacht Club and the Ronin Network. The latter manages a blockchain used in games. Customers sometimes come to Ronghui Gu after losing hundreds of millions of dollars hoping that this computer scientist will ensure that this misfortune never happens again.

“This is really a wild world,” Ronghui Gu said with a laugh.

Crypto-code is harsher than traditional software. Silicon Valley engineers usually try to make their programs as bug-free as possible before shipping them, but if a problem or bug is discovered later, the code can be updated.

This is not possible in many cryptocurrency projects. They operate using smart contracts, i.e. computer code that manages transactions. Suppose you want to pay an artist 1 ETH for an NFT, a smart contract can be coded to automatically send you the NFT token when the money arrives in the artist’s wallet. The problem is that once the smart contract code is embedded in a blockchain, you can’t update it. If you discover a bug later, it’s too late: the interest of blockchains is that you can’t change what’s written on it. Worse, the code hosted on a blockchain is visible to everyone: hackers can study it at their leisure and find errors to exploit.

The Ronin network lost over $600 million to the hack

The number of these hacks is staggering and they are very profitable. At the beginning of 2022, the Wormhole platform had more than $320 million worth of cryptocurrency stolen. Afterwards, the Ronin network lost over $600 million in crypto.

“This is the most expensive hack in history,” said Ronghui Gu, shaking his head almost in disbelief. “They say Web3 is eating the world, but hackers are eating Web3.”

In recent years, many listeners have appeared. CertiK, co-founded by Ronghui Gu, is the most important of these: the company, valued at two billion dollars, estimates that it has performed 70% of all audits regarding smart contracts to identify in real time if one of them is hacked.

Not bad for someone who entered this universe by chance. Ronghui Gu didn’t start out in cryptography, he spent his doctorate in the field of verifiable software, exploring ways to write code that behaves mathematically and predictably. But this topic has become very relevant in the very cutthroat world of smart contracts. He founded CertiK with his thesis director in 2018. Ronghui Gu is now riding the world of academia and cryptocurrency. He continues to teach courses at Columbia on compilers and formal system software verification, supervises several graduate students (one of whom is researching compilers for quantum computing), while traveling to events at Davos and Morgan Stanley, wearing his usual black shirt and dark jacket, to try to convince the bigwigs in crypto and finance to take blockchain hackers seriously.

Cryptocurrency is known for its boom and bust cycle. FTX’s stock market crash in November is just one recent example of a blow. Ronghui Gu thinks that he will have a job for many years. Major businesses, such as banks and, he says, “a major search engine,” are starting to launch their own blockchain products and hire CertiK to help keep their ships in order. If established companies start injecting more code into blockchains, they will attract more and more hackers, including state actors. “The threats we face”, he observes, “are intensifying.”

Article by Clive Thompson, translated from English by Kozi Pastakia.

READ ALSO

This blockchain video game lays the foundation for a metaverse that no one can control

Leave a Reply

Your email address will not be published. Required fields are marked *